Guest post Gene Fry, vice president of technology and compliance officer, Scrypt, Inc.
According to the 2016 Survey of America’s Physicians, around 70 percent of the nearly 800,000 physicians in active patient care in the U.S. work independently or in practices consisting of 30 physicians or fewer. For these small and medium sized practices, maintaining a robust HIPAA (Health Insurance Portability and Accountability Act of 1996) compliance strategy is extremely difficult. In fact, one report suggests a third of small practices do not have a HIPAA compliance plan in place at all, which is a worrying statistic, given the potential repercussions of a HIPAA breach.
Only last year, HHS’ Office for Civil Rights (OCR), the agency responsible for enforcing the HIPAA Privacy and Security rules, announced an initiative to more widely investigate smaller HIPAA breaches. While this may not have been directly aimed at small practices – small breaches can just as easily occur at large organizations – it provided a stark reminder to all covered entities that no organization is exempt from the rules, and noncompliance is noncompliance, regardless of magnitude or intent.
To highlight this, back in 2012, Phoenix Cardiac Surgery — a four-physician practice based in Arizona — was fined $100,000 and required to take corrective actions, after it was revealed the company had been using a publically accessible calendar service to transmit ePHI to employees’ private email accounts. This violation would have been avoidable, had the offender known the use of such technologies by a medical practice is prohibited under HIPAA.
Small and medium practices, big responsibilities
Keeping on top of HIPAA compliance, alongside the many other regulatory constraints that come with managing a busy medical practice, is a challenge for any organization, but small and medium practices typically have fewer resources and less budget to manage and mitigate risks effectively in-house, so the challenge is larger than most.
Managing a full-time HIPAA compliance program, for example, is simply not feasible for most small organizations, as they are unlikely to have staff members who possess the necessary skills to lead a team in promoting HIPAA best practices, as well as undertaking risk assessments and so on. As such, all responsibility lands with the medical staff, who must assume dual roles; as both clinicians, and compliance experts. While it could be argued that every medical professional should be well versed in HIPAA compliance anyway, the reality is not all are, and this presents major security and privacy risks.
The good news is, there are some relatively easy steps small- and medium-sized practices can take to significantly minimize the risk of a HIPAA breach occurring, that don’t require any major financial investment. While the following points are not a definitive list of HIPAA requirements, they should provide a good starting point.
Start with the basics and build up
HIPAA is complex and often overwhelming, but there’s no point worrying about the small details if the fundamentals are not in place. Organizations must ensure that all staff are familiar with the following key areas of HIPAA:
- Why HIPAA exists and who it covers
- Key requirements under the HIPAA Privacy Rule, the Security Rule and the Breach Notification Rule
- Protected Health Information (PHI/ePHI) and the key personal identifiers
- HIPAA enforcement and the consequences of noncompliance
- Their responsibilities as an individual within the organization
Develop a culture of security
By developing a “culture of security” throughout a business, including regular staff training and knowledge sharing sessions, the risk of data being leaked or stolen as the result of staff error will be significantly reduced. Even something as simple as encouraging staff members to regularly update passwords can improve security standards, and reduce the risk of data being compromised should a device fall into the wrong hands. Further still, businesses should ensure all employees sign a declaration stating they understand the businesses security policies, their responsibilities as an employee, and the penalties associated with noncompliance.
Pay close attention to mobile devices
The increased adoption of BYOD (bring your own device) in healthcare environments presents many potential benefits; however, it also introduces new risks, as devices are carried around between locations, increasing potential for loss, theft, or unauthorized access. Additionally, the familiarity of mobile apps, such as email, text messaging (SMS) and social media, can lead to information being shared in non-secure environments, between clinicians who may not know any better. To mitigate risks associated with mobile devices, organizations must ensure all staff are educated on the risks, take actions to secure devices by way of strong passwords and multi-factor authentication, and only ever exchange sensitive health information via pre-approved HIPAA-secure applications.
Small- and medium-sized practices may feel they are facing an uphill struggle when it comes to HIPAA compliance, but by staying educated, working together, and investing in the right tools, organizations stand a much better chance of staying breach-free, even without the resources to match larger healthcare organizations.